k9 Security
  • Use Cases
    • DevOps
    • Enterprise Security
    • MDR & SOC
    • OEM Integrations
  • Demo
  • Pricing
  • Docs
  • Contact
  • About
  • Blog
  • Sign up
Select Page

Effective IAM News – 2025-03-21

by Chase Christy | Jul 19, 2025 | The Effective IAM Newsletter

Welcome to The Effective IAM Newsletter! Our mission is simple: curate high-impact resources that address real-world cloud IAM challenges for busy security professionals. Each edition features an industry trend, expert insight, or practical tool that you can use.

You should know about:

Finders Keypers: An Open Source Tool to Discover Usage and Blast Radius of Encryption Keys in AWS

The Problem: Understanding where AWS KMS encryption keys are used and their potential blast radius is notoriously difficult.

AWS offers two official methods:

  1. Examining CloudTrail logs (which can be incomplete for resources older than 90 days)
  2. Checking key permissions (which don’t tell the full story of resource relationships).

The Solution: Jason Kao (Fog Security) built Finders Keypers to provide a third approach – directly analyzing AWS services and resources to determine active KMS key usage across 28 different resource types over 21 AWS services, with particular focus on compute, databases, analytics, storage, and configuration services.

Why It Matters: As a cloud security professional, knowing exactly which resources are encrypted with which keys is critical for:

  • Understanding the true blast radius of potential encryption key abuse
  • Managing key rotation safely without service disruption
  • Building proper data perimeters and strengthening your cloud security posture
  • Making informed decisions about key access control policies

More helpful KMS resources:

  • https://www.effectiveiam.com/simplify-aws-iam – A deeper look at simplifying AWS IAM access management using KMS as a control point
  • https://www.k9security.io/docs/secure-data-in-aws-with-key-management-service-kms/ – Best practices for securing data with KMS
  • AWS KMS Key Scope Guide (k9) – Answers ‘when should I create a KMS key instead of using an existing key?’

Fun Fact:

AWS Key Management Service (KMS) is a fully managed encryption API and key vault that integrates with more than 65 AWS services!

🎩 Tip of the cap to AWS Security Digest for highlighting this open source tool

Stay up to date with The Effective IAM Newsletter:

Subscribe on LinkedIn

Recent Posts

  • Your MCP server on AgentCore Runtime fails its health check at `/mcp/`. Here’s how to fix it.
  • Severity is no longer a triage input. Risk scoring you own is.
  • Generate least-privilege EventBridge policies and restrict access to your AWS Organization with k9-cdk
  • Building Evals for an AI Agent: From Zero to Consistency Testing
  • How to Connect Strands Agents to AWS MCP with IAM Authentication

Recent Comments

    Copyright 2026 K9 Security Inc.